College Mentors' Data Protection and Information Management Guide
In your role as a college mentor you are likely to create, send or receive information about the University’s students. This information is subject to data protection legislation (including the General Data Protection Regulation) and this guide will help you to ensure that you are aware of your obligations with regard to this legislation and help you to manage the information well.
All college mentors who hold student information must complete the University’s online 'Data Protection and Information Governance' training course, detailed here.
Further details will be provided by your college.
Data protection legislation applies to personal data. Personal data can be factual data about an individual (such as name, address or phone number), details of where an individual was/will be at a certain time, opinions about an individual or a photograph in which an individual can be identified. A sub-category of 'personal data' is 'special categories of personal data' (also known as 'sensitive personal data') which is data about racial/ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or sexual life or genetic / biometric data. Although all personal data should be held securely, there are even stricter requirements for the careful management of special categories of personal data.
The following are examples of documents that you may hold and may contain personal data, or special categories of personal data, about students:
- Emails (and attachments) that you have sent or received about students, including any from the college (or students directly) providing student contact details
- Handwritten notes that you have made about students, such as following a meeting with them
- Copies of forms that you have completed about students at the request of the college
Please note that if you are an employee of the University and have been provided with access to corporate information systems (such as the Banner database) or college/department student information for the purpose of your employment, you should not be using this access to acquire information about your mentees.
The information you require for your role as a college mentor should be provided by the college and directly from your mentees only.
In order to help yourself, and the University, to comply with data protection legislation, please take the following steps:
You must only collect, store, access, share and dispose of personal data as instructed by the college
Data protection legislation requires that the University tightly controls collection, storage, access, sharing and disposal of personal data and it must have a clear lawful basis for using personal data for each and every purpose it needs (or wishes) to do so. Acting outside of the University's policies and procedures may mean breaching legislation so it's important that you ensure that you understand your responsibilities and seek guidance if you are unsure.
Personal data, and especially sensitive personal data, must be held physically secure
You must ensure that personal data cannot be accessed by anyone without appropriate authority to do so. This includes family, friends, colleagues or any third party. Simple steps to help achieve this include ensuring that:
- You use an email account for your mentoring role to which only you have access. This should preferably be a Durham University account
- Passwords are used where relevant to prevent access to electronic documents. Passwords must not be shared.
- Your pc or mobile computing device (smartphone, iPad, tablet) is locked when not in use and anti-virus software is kept up-to-date
- Paper documents are kept locked away when not in use.
Personal data must be kept confidential
Confidential matters must not be discussed with anyone unless there is a clear and justifiable requirement to do so. No third party (including the police, the council and UK Visas and Immigration) has a right to demand access to personal data without appropriate conditions being met in writing. Any such request for access should be passed to the college. In a life or death situation it is permissible to pass personal data to a third party without seeking to meet certain conditions, but in all cases an immediate attempt should be made to seek advice from the college first.
Any references you provide for students in your role as a college mentor should be personal character references only and should not discuss issues relating to the University. You should not write personal references on University headed paper or send them to prospective employers from a University email account.
If you are asked to provide a corporate reference on behalf of the University, you should refer the request to the college.
Personal data must not be held longer than necessary
You should only keep information about students for as long as it’s required for your role as a college mentor. Once a student has left the University, you should pass to the college any factual information you hold about the student, such as contact details.
All other information must be destroyed. Paper documents should be shredded. Electronic documents should be deleted.
When your role as a college mentor ends, you must do the above for all students that you have mentored.
Individuals, including students, have the right to request formally a copy of the information you hold about them in your role as a college mentor
The University must respond to such a request within a month. It’s therefore very important that, should you receive such a request directly from a student, you forward the request to the college immediately. Similarly, it is important that if you are asked by the college or the University’s Information Governance Unit to provide information that you hold about a student you do so immediately.
You should not provide information directly to the individual. The Information Governance Unit will check the information before release as in some circumstances we may lawfully withhold all or part of it, e.g. documents may contain the personal data of other individuals. In some circumstances it may also be more appropriate for the information to be handed over in person by the college if the student is likely to require support.
You can help yourself and the University to comply with data protection legislation by managing information well. Good practice includes:
- Creating and/or holding only that information about students that is necessary for you to perform your role as a college mentor, and no more
- Ensuring that the information you create is accurate and can be defended if the individual should ask to see it
- Ensuring that you use appropriate tone and language in your communications with (or about) students
- Keeping information (paper and electronic) secure and away from unauthorised access
- Keeping information only as long as necessary.
In the first instance, please refer to your college for advice.
Further information about data protection legislation and information management can be found on the University's website at: www.dur.ac.uk/ig/